The VASP-to-CASP Transition Deadline Is Five Weeks Away and Some Exchanges Are Not Ready

On July 1, 2026, the grandfathering window under the EU's Markets in Crypto-Assets Regulation closes. Any virtual asset service provider that has been operating in the European Union under a pre-existing national registration and has not obtained formal CASP authorization by that date must immediately cease EU-market activities or face enforcement action from national competent authorities. France has already issued 14 enforcement notices since Q4 2025. National regulators across the EU are reporting severe application backlogs, meaning exchanges that submitted authorization requests late in the process may not receive a decision before the deadline passes.

Bitcoin VASP compliance refers to the full set of legal and operational obligations that a virtual asset service provider (VASP) must satisfy to lawfully operate a Bitcoin exchange, custody service, or transfer facility. These obligations originate in FATF Recommendation 15, which extended the international AML and counter-terrorist financing framework to Bitcoin and other virtual assets in 2019, and are implemented through national legislation in over 60 jurisdictions worldwide. Core requirements include KYC and customer due diligence, AML/CFT program maintenance, Travel Rule compliance, sanctions screening, and suspicious activity reporting.

This article covers what VASP compliance requires at the operational level, how the VASP framework differs from the EU's newer CASP standard, what the July 2026 MiCA deadline means for exchanges and their users, and how virtual asset service provider obligations are evolving in the US, Australia, and Brazil in 2026. The regulatory timeline is compressing across every major jurisdiction simultaneously, which makes understanding the full compliance stack more urgent than at any previous point in the Bitcoin market's history.

What Bitcoin VASP Compliance Requires

The VASP classification originates in the FATF Recommendations and applies to any individual or legal entity that conducts one or more of five activities on behalf of another person: exchanging virtual assets for fiat currency, exchanging one virtual asset for another, transferring virtual assets, safekeeping or administering virtual assets or instruments that enable control over them, or participating in and providing financial services related to a virtual asset issuer's offer or sale.

Once classified as a VASP, an entity must maintain a written AML/CFT program. That program must include a documented risk assessment that identifies the specific money laundering and terrorist financing risks the business faces, a compliance officer with sufficient seniority and resources to implement the program, customer due diligence (CDD) procedures for onboarding and ongoing monitoring, a transaction monitoring system capable of flagging unusual patterns in real time, a mechanism for filing suspicious activity reports with the relevant financial intelligence unit, and Travel Rule data transmission for qualifying virtual asset transfers. According to FATF's 2026 compliance tracker, 85 of 117 assessed jurisdictions have now enacted Travel Rule legislation, up from 65 in 2024.

Customer Due Diligence and Enhanced Due Diligence

Customer due diligence under VASP compliance rules covers three levels. Standard CDD applies at onboarding for most retail customers and requires identity verification, name screening against sanctions lists, and assignment of a risk rating. Simplified due diligence may apply for low-risk, low-value accounts in jurisdictions that permit it. Enhanced Due Diligence (EDD) is required for higher-risk customers, including politically exposed persons, customers from FATF high-risk jurisdictions, and accounts with transaction patterns that deviate materially from their stated purpose. EDD requires additional documentation, source-of-funds verification, and more frequent account review cycles.

Sanctions screening is embedded at every level of the CDD process. A compliant VASP must screen customers against OFAC, UN, EU, and local sanctions lists at onboarding and re-screen continuously against updated lists. Blockchain analytics tools such as Chainalysis, Elliptic, and TRM Labs provide real-time wallet address screening that feeds directly into a VASP's transaction monitoring system. Regulators in 2026 evaluate whether these tools are actively functioning, not merely licensed.

Travel Rule Obligations for VASPs

The FATF Travel Rule, derived from Recommendation 16, requires VASPs to collect and transmit originator and beneficiary information alongside qualifying virtual asset transfers. The recommended de minimis threshold is $1,000 / €1,000, though the EU applies zero threshold and the US applies $3,000 for cross-border transfers. For each qualifying transfer, the originating VASP must transmit the originator's legal name, account identifier, and address reference to the beneficiary VASP using the IVMS 101 messaging standard before the on-chain transaction is broadcast. Both parties must screen the data against sanctions lists before the transfer proceeds. As of May 2026, 59% of jurisdictions with Travel Rule laws have not yet conducted enforcement action specifically tied to Travel Rule compliance, creating an uneven global landscape.

VASP vs. CASP vs. DASP: Why the Terminology Matters in 2026

The three terms coexist in global regulatory discourse and are not interchangeable. Understanding the distinction matters practically because the compliance requirements attached to each classification differ significantly in scope and depth.

VASP is the FATF umbrella term. It defines who must comply with AML/CFT standards globally and is used in national legislation across non-EU jurisdictions including the US, UK, Singapore, Australia, Brazil, and the UAE.

CASP (Crypto-Asset Service Provider) is the EU-specific classification established by MiCA. CASP authorization is more extensive than VASP registration. It encompasses all VASP-equivalent AML obligations plus organizational governance requirements (board composition, conflict-of-interest policies), prudential standards (minimum capital reserves based on the class of services offered), client asset segregation obligations, and detailed consumer protection disclosures. A CASP license granted by any EU national competent authority creates a passport for operation across the full European Economic Area, which is the primary commercial incentive for obtaining it.

DASP (Digital Asset Service Provider) is the term used in France under the AMF framework and in El Salvador. France was among the first jurisdictions to operationalize VASP registration, and its DASP designation predates MiCA. French DASPs have been required to migrate to full CASP authorization under the MiCA transition process.

The VASP-to-CASP Transition: What Is Actually Happening

According to Hacken's 2026 analysis of the MiCA transition, national competent authorities across the EU are facing severe application backlogs because the transition window compressed a multi-year authorization process into 18 months. Exchanges that submitted complete CASP applications early in the window are receiving authorizations. Those that submitted late, or that submitted incomplete applications, face two outcomes: a deemed rejection that requires them to cease EU operations, or an extension request that regulators may or may not grant. Bitstamp's publicly announced CASP license award under MiCA is the most prominent example of a major exchange successfully completing the transition.

Exchanges that cannot complete CASP authorization by July 1, 2026 and wish to continue serving EU customers have one remaining option: passport into the EU through a fully authorized CASP entity in another member state via a contractual arrangement, while the primary entity's own application is processed.

Regional VASP Compliance Developments in 2026

Beyond the EU, three jurisdictions are materially changing their VASP compliance requirements in 2026 in ways that affect Bitcoin exchanges operating across multiple markets.

In the United States, crypto regulatory compliance for VASPs continues to be layered across federal and state frameworks. At the federal level, FinCEN's April 2026 AML overhaul proposal explicitly names crypto exchanges as a category facing enhanced risk-based program expectations. The Bank Secrecy Act registration as a Money Services Business remains the foundational federal obligation. At the state level, California's Digital Financial Assets Law entered its enforcement phase on July 1, 2026, requiring any entity serving California residents to hold a DFAL license or cease operations in the state.

In Australia, AUSTRAC has issued updated VASP guidance in 2026 requiring all registered Digital Currency Exchange Providers to review their AML/CTF programs against a new risk typologies document that covers peer-to-peer transaction risks, DeFi exposure, and privacy coin handling. AUSTRAC's guidance treats failure to maintain current risk assessments as a program deficiency, not a documentation gap, which raises the enforcement threshold.

In Brazil, the Central Bank finalized its VASP licensing framework under Law 14,478/2022 and is in full implementation as of 2026. All exchanges serving Brazilian residents must hold a Brazilian VASP license and comply with Banco Central do Brasil reporting requirements, adding a new jurisdictional layer for exchanges that had previously served Brazil without formal registration.

Proof of Reserves: The Emerging VASP Compliance Obligation

One compliance requirement that is moving from voluntary best practice to expected standard in 2026 is proof of reserves. Following the collapse of FTX in 2022, major exchanges began publishing Merkle-tree-based proof-of-reserves attestations to demonstrate that customer assets are held 1:1 on the platform. By 2026, regulators in multiple jurisdictions are moving toward treating proof-of-reserves publication as a supervisory expectation rather than a voluntary disclosure.

The EU's MiCA regulation requires CASPs to segregate client assets and maintain sufficient reserves. Singapore's MAS issued guidance in 2024 requiring custodial crypto exchanges to hold customer digital assets in trust structures. The UK's FCA crypto review ongoing in 2026 includes client asset safeguarding as a primary examination area. For traders who execute spot BTC trades on a licensed platform, proof-of-reserves reporting is the most direct evidence that the exchange holds the assets it owes.

FAQ

What is a VASP in Bitcoin?

A VASP (Virtual Asset Service Provider) is any entity that exchanges, transfers, or custodies Bitcoin or other virtual assets on behalf of another person as a business activity. The FATF classification applies to crypto exchanges, custodial wallet providers, Bitcoin ATM operators, and certain DeFi platforms. Once classified as a VASP, an entity must comply with AML/CFT obligations including KYC, transaction monitoring, and the Travel Rule.

What is the difference between VASP and CASP?

VASP is the global FATF term covering AML/CFT obligations for virtual asset businesses. CASP is the EU-specific designation under MiCA, which adds organizational governance, capital reserve, and consumer protection requirements on top of the VASP-equivalent AML baseline. A CASP license grants passporting rights across the full EU/EEA. The transition deadline for EU VASPs to become CASPs is July 1, 2026.

What does Bitcoin VASP compliance require?

VASP compliance requires a written AML/CFT program, customer due diligence at onboarding and ongoing, sanctions screening against OFAC, UN, and EU lists, Travel Rule data transmission for qualifying transfers, suspicious activity reporting, and transaction monitoring using blockchain analytics tools. Enhanced Due Diligence applies to high-risk customers including politically exposed persons and customers from FATF-listed jurisdictions.

Which jurisdictions require VASP registration for Bitcoin exchanges?

Over 60 jurisdictions have enacted VASP registration or licensing requirements as of May 2026. These include the US (FinCEN MSB registration plus state-level money transmitter licenses), the EU (CASP authorization under MiCA), the UK (FCA registration), Australia (AUSTRAC registration), Singapore (MAS Payment Services Act license), Brazil (Banco Central do Brasil license), and UAE (VARA registration).

What happens if a Bitcoin exchange fails VASP compliance?

Consequences range from deregistration and forced market exit to financial penalties and criminal referrals. Under MiCA, unauthorized CASPs operating in the EU after July 1, 2026 face immediate enforcement. France issued 14 enforcement notices to non-compliant platforms in Q4 2025. In the US, FinCEN penalties for BSA violations have exceeded $500 million in individual settlements. Exchanges that fail VASP compliance also lose access to banking relationships, as correspondent banks conduct their own VASP due diligence.

Conclusion

Bitcoin VASP compliance in 2026 is no longer a single checklist. It is a jurisdiction-by-jurisdiction matrix of registration requirements, AML program standards, Travel Rule obligations, and increasingly, capital and governance expectations borrowed from the traditional financial sector. The July 1, 2026 MiCA transition deadline is the most immediate pressure point, but the simultaneous tightening in the US, Australia, and Brazil means that exchanges operating across multiple markets are managing compliance obligations on several fronts at once.

The most practical action for any market participant is to verify that the platforms they use hold current licenses in every jurisdiction where they operate. An exchange that operated legally last year under a transitional registration may not be operating legally after July 1 if its CASP application was rejected or is still pending.

If you are looking to trade Bitcoin on a fully licensed and VASP-compliant platform, the BYDFi guide to buying BTC walks through account setup on a regulated exchange step by step. For current BTC price data and market context as the regulatory landscape continues to shift, the BYDFi Bitcoin overview is a practical reference throughout 2026.